This story is over 5 years old.


The Experimental Malware That Can Take Down Any Mac Made After 2011

Good luck getting rid of it.
​Good luck trying to get rid of this malware. ​Photo: Quentin Meulepas/Flickr

Anyone who's suffered the indignity of scrubbing, scanning, and restoring their files after a brush with malware knows that computer viruses suck. But whatever you've encountered, it's likely not as bad as Thunderstrike. It's the worst kind of malware there is.

Thunderstrike is a new proof-of-concept attack on Mac computers that was unveiled by programmer and hardware hacker Trammell Hudson at the annual Chaos Communication Congress last month—a well-known conference in Germany attended by hackers and digital activists worldwide. What makes Thunderstrike so different from your typical malware infection isn't how it's installed, but where.


Rather than infect a computer's operating system, Thunderstrike targets the software that sits underneath—the firmware or BIOS. Think of it as a pared down operating system that handles all of a computer's lower level functions before it boots, from power management to cooling. (When your laptop's fans start to sound like a jet engine, for example, you have the firmware to thank for that.)

But Thunderstrike can do far more damage than run up your energy bill. It can log keystrokes—passwords, basically—and compromise the operating system as it boots, opening the door to further chaos. Think remote access, and access to data not normally accessible from the firmware alone.

Security researcher Rob Graham, writing about the concept in 2013, explained how such an attack could then spread:

"What hackers can do is overwrite the BIOS flash memory, adding their own code that runs on startup. It's a little bit tricky, because eventually the BIOS hands off control to the operating system and ceases to run. There are a number of techniques a hostile BIOS needs to do in order to maintain control. For example, in the early phase of booting, the operating system uses the BIOS drivers to read from hard drives. Therefore, the BIOS might look at which files are being loaded, and then load hostile versions of some of them. Then, once the operating system switches over to using its own device drivers, the hostile code is already running inside the operating system."


And it gets worse. An attack on a computer's firmware can't be thwarted by simply reinstalling Windows or OS X—nor by replacing the computer's hard drive or flash memory chips. Oh, and there's currently no way to detect it, either. Once infected, it even disables the ability for Apple to update the firmware, making Thunderstrike near-impossible to remove for all but the person that put it there in the first place.

But therein lies the challenge: actually getting Thunderstrike onto a vulnerable computer. The attack is named because it is delivered using Apple's Thunderbolt port, a standard for physically connecting peripherals, like external monitors or hard drives. In other words, it requires physical access to the machine. Plug in a modified Thunderbolt ethernet adapter, say, and reboot the machine, and you've got yourself an infected Mac. (Only on computers built since 2011, though. Earlier Macs without Thunderbolt need not apply.)

This isn't the first time we've heard of attempts at compromising a computer's firmware. Numerous NSA documents detail highly targeted efforts to compromise the firmwares of networking devices and computers. There was also a strange case in 2013, in which security consultant Dragos Ruiu claimed some of his computers had been infected with an unknown firmware-targeting malware. Dubbed "badBIOS," he claimed the malware was especially pernicious; it could infect Mac and PC firmwares, was almost impossible to detect, and could transmit itself to computers that were completely disconnected from the network (airgapped) using high-frequency sound.

People regarded Ruiu's claims with healthy skepticism—and not without reason. Firmware is highly specific, customized for the exact components within a given machine. Being able to spread such malware wirelessly, and between different makes and models of computer, sounded far-fetched, if not highly difficult to pull off. Indeed, according to Hudson, "to the best of our knowledge there are no Mac firmware bootkits in the wild and Thunderstrike is only a proof-of-concept that does not have any malicious payload," Hudson wrote on his website in an FAQ posted following his talk.

But the fact that it's possible, and that Thunderstrike works on so many models of Mac, is certainly cause for some concern. Apple has already patched its most recent iMac Retina and Mac Mini models, according to Hudson, and similar patches should be available soon for older Macs. However, he cautioned that older systems can still be returned to an exploitable state, and that other exploits—including a remote exploit also unveiled at the conference, called Dark Jedi—could be used to achieve similar results.

Remember the good old days, when malware just held your computer ransom for money instead?